Obscurity is not a valid security practice, Joe.
Ubuntu is still vulnerable IF you are using a vulnerable program such as Java or pretty much any Adobe product.
A fresh, clean, fully-patched, out of the box installation of any operating system is going to be as secure as that platform will ever be. Once you start installing “your favorite program(s),” you inevitably introduce vulnerabilities. Few people ever keep a clean core OS.
The simple fact is that the criminals go for where the money is, 99% use windoze or osx or some mobile crap. Why would they bother to beat their brains out trying to hack ubuntu when we are just a bunch of people that can’t even afford to buy a real OS? ;)